Thu Aug 25 09:10:45 UTC 2011patches/packages/php-5.3.8-x86_64-1_slack13.37.txz: Upgraded. Security fixes vs. 5.3.6 (5.3.7 was not usable): Updated crypt_blowfish to 1.2. (CVE-2011-2483) Fixed crash in error_log(). Reported by Mateusz Kocielski Fixed buffer overflow on overlog salt in crypt(). Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202) Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938) Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148) For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1148 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1938 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2202 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483 For those upgrading from PHP 5.2.x, be aware that quite a bit has changed, and it will very likely not 'drop in', but PHP 5.2.x is not supported by php.net any longer, so there wasn't a lot of choice in the matter. We're not able to support a security fork of PHP 5.2.x here either, so you'll have to just bite the bullet on this. You'll be better off in the long run. :) (* Security fix *)+--------------------------+Fri Aug 12 23:20:00 UTC 2011patches/packages/bind-9.7.4-x86_64-1_slack13.37.txz: Upgraded. This BIND update addresses a couple of security issues: * named, set up to be a caching resolver, is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache the response. Due to an off-by-one error, caching the response could cause named to crash. [RT #24650] [CVE-2011-1910] * Change #2912 (see CHANGES) exposed a latent bug in the DNS message processing code that could allow certain UPDATE requests to crash named. [RT #24777] [CVE-2011-2464] For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464 (* Security fix *)+--------------------------+Fri Jul 29 18:22:40 UTC 2011patches/packages/dhcpcd-5.2.12-x86_64-1_slack13.37.txz: Upgraded. Sanitize the host name provided by the DHCP server to insure that it does not contain any shell metacharacters. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0996 (* Security fix *)patches/packages/libpng-1.4.8-x86_64-1_slack13.37.txz: Upgraded. Fixed uninitialized memory read in png_format_buffer() (Bug report by Frank Busse, related to CVE-2004-0421). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421 (* Security fix *)patches/packages/samba-3.5.10-x86_64-1_slack13.37.txz: Upgraded. Fixed cross-site request forgery and cross-site scripting vulnerability in SWAT (the Samba Web Administration Tool). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2694 (* Security fix *)+--------------------------+Thu Jul 14 21:34:41 UTC 2011patches/packages/mozilla-firefox-5.0.1-x86_64-1_slack13.37.txz: Upgraded. I guess this is only a fix for Mac OS X, but it's still 0.0.1 better. ;-)patches/packages/seamonkey-2.2-x86_64-1_slack13.37.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/announce/ (* Security fix *)patches/packages/seamonkey-solibs-2.2-x86_64-1_slack13.37.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/announce/ (* Security fix *)+--------------------------+Fri Jul 8 16:55:13 UTC 2011patches/packages/bind-9.7.3_P3-x86_64-1_slack13.37.txz: Upgraded. A specially constructed packet will cause BIND 9 ("named") to exit, affecting DNS service. The issue exists in BIND 9.6.3 and newer. "Change #2912 (see CHANGES) exposed a latent bug in the DNS message processing code that could allow certain UPDATE requests to crash named. This was fixed by disambiguating internal database representation vs DNS wire format data. [RT #24777] [CVE-2011-2464]" For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464 (* Security fix *)patches/packages/mozilla-thunderbird-3.1.11-x86_64-1_slack13.37.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird30.html (* Security fix *)+--------------------------+Wed Jun 29 18:17:56 UTC 2011patches/packages/ghostscript-9.02-x86_64-1_slack13.37.txz: Upgraded. Ghostscript 9.02 is being supplied as a non-security update for Slackware 13.37 to address a regression that could cause corrupted output. We've also been advised that CUPS will be increasing a cache memory setting in future releases, so if this doesn't solve all the issues, try adding this to /etc/cups/cupsd.conf: RIPCache 128m+--------------------------+Mon Jun 27 21:29:54 UTC 2011patches/packages/pidgin-2.9.0-x86_64-1_slack13.37.txz: Upgraded. Fixed a remote denial of service. A remote attacker could set a specially crafted GIF file as their buddy icon causing vulerable versions of pidgin to crash due to excessive memory use. For more information, see: http://pidgin.im/news/security/?id=52 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2485 (* Security fix *)+--------------------------+Fri Jun 24 02:55:39 UTC 2011patches/packages/mozilla-firefox-5.0-x86_64-1_slack13.37.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefox.html (* Security fix *)+--------------------------+Mon Jun 20 00:49:34 UTC 2011patches/packages/fetchmail-6.3.20-x86_64-1_slack13.37.txz: Upgraded. This release fixes a denial of service in STARTTLS protocol phases. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1947 http://www.fetchmail.info/fetchmail-SA-2011-01.txt (* Security fix *)patches/packages/seamonkey-2.1-x86_64-1_slack13.37.txz: Upgraded.patches/packages/seamonkey-solibs-2.1-x86_64-1_slack13.37.txz: Upgraded. This official release replaces the beta version in Slackware 13.37.+--------------------------+Fri May 27 22:56:00 UTC 2011patches/packages/bind-9.7.3_P1-x86_64-1_slack13.37.txz: Upgraded. This release fixes security issues: * A large RRSET from a remote authoritative server that results in the recursive resolver trying to negatively cache the response can hit an off by one code error in named, resulting in named crashing. [RT #24650] [CVE-2011-1910] * Zones that have a DS record in the parent zone but are also listed in a DLV and won't validate without DLV could fail to validate. [RT #24631] For more information, see: http://www.isc.org/software/bind/advisories/cve-2011-1910 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910 (* Security fix *)+--------------------------+Wed May 25 20:03:16 UTC 2011patches/packages/apr-1.4.5-x86_64-1_slack13.37.txz: Upgraded. This fixes a possible denial of service due to a problem with a loop in the new apr_fnmatch() implementation consuming CPU. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1928 (* Security fix *)patches/packages/apr-util-1.3.12-x86_64-1_slack13.37.txz: Upgraded. Fix crash because of NULL cleanup registered by apr_ldap_rebind_init().patches/packages/httpd-2.2.19-x86_64-1_slack13.37.txz: Upgraded. Revert ABI breakage in 2.2.18 caused by the function signature change of ap_unescape_url_keep2f(). This release restores the signature from 2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex(). Apache httpd-2.2.18 is considered abandoned. All users must upgrade.+--------------------------+Fri May 13 20:30:07 UTC 2011patches/packages/apr-1.4.4-x86_64-1_slack13.37.txz: Upgraded. This fixes a possible denial of service due to an unconstrained, recursive invocation of apr_fnmatch(). This function has been reimplemented using a non-recursive algorithm. Thanks to William Rowe. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419 (* Security fix *)patches/packages/apr-util-1.3.11-x86_64-1_slack13.37.txz: Upgraded.patches/packages/httpd-2.2.18-x86_64-1_slack13.37.txz: Upgraded. This is a bug fix release, but since the upgrades to apr/apr-util require at least an httpd recompile we opted to upgrade to the newest httpd.+--------------------------+Tue May 3 03:35:28 UTC 2011patches/packages/mozilla-firefox-4.0.1-x86_64-1_slack13.37.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefox36.html (* Security fix *)patches/packages/mozilla-thunderbird-3.1.10-x86_64-1_slack13.37.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird30.html (* Security fix *)+--------------------------+

Tue Nov 8 04:07:49 UTC 2011patches/packages/openssh-5.9p1-x86_64-2_slack13.37.txz: Upgraded. Upstream different timestamp, size, ChangeLog. GPG verifies on both this newer one and what we had before (?).patches/packages/mozilla-firefox-8.0-x86_64-1_slack13.37.txz: Upgraded.+--------------------------+

Thu Feb 2 00:13:21 UTC 2012patches/packages/ca-certificates-20111211-noarch-1_slack13.37.txz: Upgraded. Removes DigiNotar and other untrusted certificates. (* Security fix *)patches/packages/coreutils-8.15-x86_64-1_slack13.37.txz: Upgraded. This will be provided as a patch to fix some important issues with ext4. Thanks to Georgy Salnikov for the notification.patches/packages/freetype-2.4.8-x86_64-1_slack13.37.txz: Upgraded. Some vulnerabilities in handling CID-keyed PostScript fonts have been fixed. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3439 (* Security fix *)patches/packages/mozilla-firefox-10.0-x86_64-1_slack13.37.txz: Upgraded. This fixes some security issues. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefox.html (* Security fix *)patches/packages/mozilla-thunderbird-10.0-x86_64-1_slack13.37.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *)patches/packages/openssl-0.9.8t-x86_64-1_slack13.37.txz: Upgraded. This fixes a bug where DTLS applications were not properly supported. This bug could have allowed remote attackers to cause a denial of service via unspecified vectors. CVE-2012-0050 has been assigned to this issue. For more details see: http://openssl.org/news/secadv_20120118.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0050 (* Security fix *)patches/packages/openssl-solibs-0.9.8t-x86_64-1_slack13.37.txz: Upgraded. This fixes a bug where DTLS applications were not properly supported. This bug could have allowed remote attackers to cause a denial of service via unspecified vectors. CVE-2012-0050 has been assigned to this issue. For more details see: http://openssl.org/news/secadv_20120118.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0050 (* Security fix *)patches/packages/seamonkey-2.7-x86_64-1_slack13.37.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *)patches/packages/seamonkey-solibs-2.7-x86_64-1_slack13.37.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *)+--------------------------+

Wed Feb 8 01:21:42 UTC 2012patches/packages/apr-util-1.4.1-x86_64-1_slack13.37.txz: Upgraded. Version bump for httpd upgrade.patches/packages/glibc-2.13-x86_64-5_slack13.37.txz: Rebuilt. Patched an overflow in tzfile. This was evidently first reported in 2009, but is only now getting around to being patched. To exploit it, one must be able to write beneath /usr/share/zoneinfo, which is usually not possible for a normal user, but may be in the case where they are chroot()ed to a directory that they own. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5029 (* Security fix *)patches/packages/glibc-i18n-2.13-x86_64-5_slack13.37.txz: Rebuilt.patches/packages/glibc-profile-2.13-x86_64-5_slack13.37.txz: Rebuilt. (* Security fix *)patches/packages/glibc-solibs-2.13-x86_64-5_slack13.37.txz: Rebuilt. (* Security fix *)patches/packages/glibc-zoneinfo-2.13-noarch-5_slack13.37.txz: Rebuilt.patches/packages/httpd-2.2.22-x86_64-1_slack13.37.txz: Upgraded. *) SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations. [Joe Orton] *) SECURITY: CVE-2011-3607 (cve.mitre.org) Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file. [Stefan Fritsch, Greg Ames] *) SECURITY: CVE-2011-4317 (cve.mitre.org) Resolve additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configurations. [Joe Orton] *) SECURITY: CVE-2012-0021 (cve.mitre.org) mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format string is in use and a client sends a nameless, valueless cookie, causing a denial of service. The issue existed since version 2.2.17. PR 52256. [Rainer Canavan <rainer-apache 7val com>] *) SECURITY: CVE-2012-0031 (cve.mitre.org) Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate cleanly. [Joe Orton] *) SECURITY: CVE-2012-0053 (cve.mitre.org) Fix an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400. [Eric Covener] For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053 (* Security fix *)patches/packages/php-5.3.10-x86_64-1_slack13.37.txz: Upgraded. Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830. (Stas, Dmitry) For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0830 (* Security fix *)patches/packages/proftpd-1.3.4a-x86_64-1_slack13.37.txz: Upgraded. This update fixes a use-after-free() memory corruption error, and possibly other unspecified issues. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4130 (* Security fix *)patches/packages/vsftpd-2.3.5-x86_64-1_slack13.37.txz: Upgraded. Minor version bump, this also works around a hard to trigger heap overflow in glibc (glibc zoneinfo caching vuln). For there to be any possibility to trigger the glibc bug within vsftpd, the non-default option "chroot_local_user" must be set in /etc/vsftpd.conf. Considered 1) low severity (hard to exploit) and 2) not a vsftpd bug :-) Nevertheless: (* Security fix *)+--------------------------+